AWS AmazonRDS medium security documentation change
Summary
Reorganized documentation structure, moved configuration details section lower, removed redundant headers, and updated SQL examples to explicitly use pg_catalog schema qualifications.
Security assessment
The change adds explicit pg_catalog schema qualifications to format() calls in event trigger examples (e.g., pg_catalog.format instead of format). This prevents potential function hijacking via search path manipulation, addressing a security best practice for PostgreSQL. The modification directly impacts security by reducing attack surface for privilege escalation via malicious schema objects.
Diff
diff --git a/AmazonRDS/latest/UserGuide/RDS_delegated_ext.md b/AmazonRDS/latest/UserGuide/RDS_delegated_ext.md index e67fd068e..89b4f0c3f 100644 --- a//AmazonRDS/latest/UserGuide/RDS_delegated_ext.md +++ b//AmazonRDS/latest/UserGuide/RDS_delegated_ext.md @@ -81 +81 @@ You need not restart the database after changing the `rds.allowed_delegated_exte - 3. Allow access to the delegated user to objects created during the extension creation process – Certain extensions create objects that require additional permissions to be granted before the user with `rds_extension` role can access them. The `rds_superuser` must grant the delegated user access to those objects. One of the options is to use an event trigger to automatically grant permission to the delegated user. For more information, refer to the event trigger example in Turning off the support for the delegated extension. + 3. Allow access to the delegated user to objects created during the extension creation process – Certain extensions create objects that require additional permissions to be granted before the user with `rds_extension` role can access them. The `rds_superuser` must grant the delegated user access to those objects. One of the options is to use an event trigger to automatically grant permission to the delegated user. @@ -83,44 +83 @@ You need not restart the database after changing the `rds.allowed_delegated_exte - - - -## Configuration used in RDS delegated extension support for PostgreSQL - -Configuration Name | Description | Default Value | Notes | Who can modify or grant permission ----|---|---|---|--- -`rds.allowed_delegated_extensions` | This parameter limits the extensions a rds_extension role can manage in a database. It must be a subset of rds.allowed_extensions. | empty string | - - * By default, this parameter is empty string, which means that no extensions have been delegated to users with `rds_extension`. - * Any supported extension can be added if the user has permission to do so. To do this, set the `rds.allowed_delegated_extensions` parameter to a string of comma-separated extension names. By adding a list of extensions to this parameter, you explicitly identify the extensions that the user with the `rds_extension` role can install. - * When set to `*`, it means that all extensions listed in `rds_allowed_extensions` are delegated to users with `rds_extension` role. - -To learn more about setting up this parameter, see Turning on delegate extension support to a user. | rds_superuser -`rds.allowed_extensions` | This parameter lets the customer limit the extensions that can be installed in the RDS DB instance. For more information, see [Restricting installation of PostgreSQL extensions ](https://docs.aws.amazon.com//AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.FeatureSupport.Extensions.Restriction) | "*" | By default, this parameter is set to "*", which means that all extensions supported on RDS for PostgreSQL and Aurora PostgreSQL are allowed to be created by users with necessary privileges. Empty means no extensions can be installed in the RDS DB instance. | administrator -`rds-delegated_extension_allow_drop_cascade` | This parameter controls the ability for user with `rds_extension` to drop the extension using a cascade option. | off | By default, `rds-delegated_extension_allow_drop_cascade` is set to `off`. This means that users with `rds_extension` are not allowed to drop an extension using the cascade option. To grant that ability, the `rds.delegated_extension_allow_drop_cascade` parameter should be set to `on`. | rds_superuser - -## Turning off the support for the delegated extension - -###### Turning off partially - -The delegated users can’t create new extensions but can still update existing extensions. - - * Reset `rds.allowed_delegated_extensions` to the default value in the DB cluster parameter group. - - * Use the following command at the database level: - - alter database database_name reset rds.allowed_delegated_extensions; - - * Use the following command at the user level: - - alter user user_name reset rds.allowed_delegated_extensions; - - - - -###### Turning off fully - -Revoking `rds_extension` role from a user will revert the user to standard permissions. The user can no longer create, update, or drop extensions. - - - postgres => revoke rds_extension from user_name; - -###### Example of event trigger +Example of event trigger @@ -147 +103 @@ If you want to allow a delegated user with `rds_extension` to use extensions tha - FOR r IN SELECT * FROM pg_event_trigger_ddl_commands() + FOR r IN SELECT * FROM pg_catalog.pg_event_trigger_ddl_commands() @@ -166,3 +122,3 @@ If you want to allow a delegated user with `rds_extension` to use extensions tha - EXECUTE format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.us_gaz TO %I WITH GRANT OPTION;', schemaname, databaseowner); - EXECUTE format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.us_lex TO %I WITH GRANT OPTION;', schemaname, databaseowner); - EXECUTE format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.us_rules TO %I WITH GRANT OPTION;', schemaname, databaseowner); + EXECUTE pg_catalog.format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.us_gaz TO %I WITH GRANT OPTION;', schemaname, databaseowner); + EXECUTE pg_catalog.format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.us_lex TO %I WITH GRANT OPTION;', schemaname, databaseowner); + EXECUTE pg_catalog.format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.us_rules TO %I WITH GRANT OPTION;', schemaname, databaseowner); @@ -170 +126 @@ If you want to allow a delegated user with `rds_extension` to use extensions tha - EXECUTE format('ALTER TEXT SEARCH DICTIONARY %I.intdict OWNER TO %I;', schemaname, databaseowner); + EXECUTE pg_catalog.format('ALTER TEXT SEARCH DICTIONARY %I.intdict OWNER TO %I;', schemaname, databaseowner); @@ -172,3 +128,3 @@ If you want to allow a delegated user with `rds_extension` to use extensions tha - EXECUTE format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.part_config TO %I WITH GRANT OPTION;', schemaname, databaseowner); - EXECUTE format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.part_config_sub TO %I WITH GRANT OPTION;', schemaname, databaseowner); - EXECUTE format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.custom_time_partitions TO %I WITH GRANT OPTION;', schemaname, databaseowner); + EXECUTE pg_catalog.format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.part_config TO %I WITH GRANT OPTION;', schemaname, databaseowner); + EXECUTE pg_catalog.format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.part_config_sub TO %I WITH GRANT OPTION;', schemaname, databaseowner); + EXECUTE pg_catalog.format('GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE %I.custom_time_partitions TO %I WITH GRANT OPTION;', schemaname, databaseowner); @@ -176,4 +132,4 @@ If you want to allow a delegated user with `rds_extension` to use extensions tha - EXECUTE format('GRANT SELECT, UPDATE, INSERT, DELETE ON ALL TABLES IN SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); - EXECUTE format('GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); - EXECUTE format('GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); - EXECUTE format('GRANT USAGE ON SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); + EXECUTE pg_catalog.format('GRANT SELECT, UPDATE, INSERT, DELETE ON ALL TABLES IN SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); + EXECUTE pg_catalog.format('GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); + EXECUTE pg_catalog.format('GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); + EXECUTE pg_catalog.format('GRANT USAGE ON SCHEMA topology TO %I WITH GRANT OPTION;', databaseowner); @@ -189,0 +146,42 @@ If you want to allow a delegated user with `rds_extension` to use extensions tha + + +## Configuration used in RDS delegated extension support for PostgreSQL + +Configuration Name | Description | Default Value | Notes | Who can modify or grant permission +---|---|---|---|--- +`rds.allowed_delegated_extensions` | This parameter limits the extensions a rds_extension role can manage in a database. It must be a subset of rds.allowed_extensions. | empty string | + + * By default, this parameter is empty string, which means that no extensions have been delegated to users with `rds_extension`. + * Any supported extension can be added if the user has permission to do so. To do this, set the `rds.allowed_delegated_extensions` parameter to a string of comma-separated extension names. By adding a list of extensions to this parameter, you explicitly identify the extensions that the user with the `rds_extension` role can install. + * When set to `*`, it means that all extensions listed in `rds_allowed_extensions` are delegated to users with `rds_extension` role. + +To learn more about setting up this parameter, see Turning on delegate extension support to a user. | rds_superuser +`rds.allowed_extensions` | This parameter lets the customer limit the extensions that can be installed in the RDS DB instance. For more information, see [Restricting installation of PostgreSQL extensions ](https://docs.aws.amazon.com//AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.FeatureSupport.Extensions.Restriction) | "*" | By default, this parameter is set to "*", which means that all extensions supported on RDS for PostgreSQL and Aurora PostgreSQL are allowed to be created by users with necessary privileges. Empty means no extensions can be installed in the RDS DB instance. | administrator +`rds-delegated_extension_allow_drop_cascade` | This parameter controls the ability for user with `rds_extension` to drop the extension using a cascade option. | off | By default, `rds-delegated_extension_allow_drop_cascade` is set to `off`. This means that users with `rds_extension` are not allowed to drop an extension using the cascade option. To grant that ability, the `rds.delegated_extension_allow_drop_cascade` parameter should be set to `on`. | rds_superuser + +## Turning off the support for the delegated extension + +###### Turning off partially + +The delegated users can’t create new extensions but can still update existing extensions. + + * Reset `rds.allowed_delegated_extensions` to the default value in the DB cluster parameter group. + + * Use the following command at the database level: + + alter database database_name reset rds.allowed_delegated_extensions; + + * Use the following command at the user level: + + alter user user_name reset rds.allowed_delegated_extensions; + + + + +###### Turning off fully + +Revoking `rds_extension` role from a user will revert the user to standard permissions. The user can no longer create, update, or drop extensions. + + + postgres => revoke rds_extension from user_name; +